Are your Contracts GDPR Compliant?
GDPR requires that organisations contracting with another, where this agreement includes the processing of personal data, ensure that certain clauses are included within a contract between both parties. In January 2020, the Danish Data Protection Agency released standard clauses that must be included within contracts and this was adopted by the European Data Protection Board. It seems that it is now a good time to reflect on the requirements and double-check you have everything in place.
the subject matter and duration of the processing;
the nature and purpose of the processing;
the type of personal data and categories of data subject; and
the controller’s obligations and rights.
The controller, therefore, needs to be very clear from the outset about the extent of the processing it is contracting out.
Processing only on the documented instructions of the controller. This means there must be a clause preventing the processor from acting outside of the controllers instructions, a common way to achieve this is to set a detailed SLA with provision for the processor to ask for permission to deviate, this, however, must be made in writing.
Duty of confidence – the processor must promise confidentiality within the agreement (unless it is already required to by statute) and must ensure that employees, contractors, agency workers it ‘employs’ also agree to this confidentiality clause
Appropriate security measures – the contract must bind the processor to agree to put in place security measures. You don’t need to spell these out, however, it may be useful to include some minimum standards in your SLA.
Using sub-processors – the processor must ask the permission of the controller prior to instructing any sub-processor. The controller maintains the right to veto, even after initially agreeing. If the processor employs a sub-processor, it must put a contract in place imposing the same Article 28(3) data protection obligations on that sub-processor. This should include that the sub-processor will provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the GDPR’s requirements. The wording of these obligations do not need to exactly mirror those set out in the contract between the controller and the processor, but should offer an equivalent level of protection for the personal data
Data subjects’ rights. This is where you would set out the requirement to have processes to meet GDPR obligations in respect of the rights of the data subjects. For example, the right to object, be forgotten or the right to access.
Assisting the controller. Under Article 28(3)(f) the contract must say that, taking into account the nature of the processing and the information available, the processor must assist the controller in meeting its obligations to:
keep personal data secure;
notify personal data breaches to the supervisory authority;
notify personal data breaches to data subjects;
carry out data protection impact assessments (DPIAs) when required; and
consult the supervisory authority where a DPIA indicates there is a high risk that cannot be mitigated.
End-of-contract provisions enabling the controller to demand deletion or a return of the data held
Audits and inspections, the processor must assist the controller in auditing compliance with the contract and GDPR.
These are the minimum required, but the controller and processor may agree to supplement them with their own terms.